塑造DevSecOps未来的关键趋势

●

MamGa

EquityResearch

Technology,Media,CommunicationsJuly7,2025

JonathanHo/p>

Thisreportisintendedforenelson@.Unauthorizeddistributionprohibited.

JasonAder,CFA+16172357519ArjunBhatia,CPAakeRoberge/p>

OntheGroundandIntheCloudADeveloperTechnologyQuarterly:

DevSecOpsRefreshEdition

SebastienNaji+12122456508GarrettBurkam/p>

Pleaserefertoimportantdisclosuresonpages41-42.Analystcertificationisonpage41.

WilliamBlairoranaffiliatedoesandseekstodobusinesswithcompaniescoveredinitsresearch

reports.Asaresult,investorsshouldbeawarethatthefirmmayhaveaconflictofinterestthatcouldaffecttheobjectivityofthisreport.Thisreportisnotintendedtoprovidepersonalinvestmentadvice.Theopinionsandrecommendationshereindonottakeintoaccountindividualclientcircumstances,objectives,orneedsandarenotintendedasrecommendationsofparticularsecurities,financial

instruments,orstrategiestoparticularclients.Therecipientofthisreportmustmakeitsownindependentdecisionsregardinganysecuritiesorfinancialinstrumentsmentionedherein.

WilliamBlair

JonathanHo+131236482762

Contents

Introduction 2

ExecutiveSummary 3

KeyTakeaways 4

ExaminingtheDevSecOpsMarketLandscape 7

AI’sImpactonDevSecOps 14

DevSecOpsMarketSizeandGrowthOutlook 16

DevSecOpsTrends 18

CoreValuePropositionsofDevSecOpsPlatforms 22

ProprietarySurveyofDevelopers 25

Appendix–PrivateCompanyProfiles 32

Glossary 38

Introduction

OntheGroundandIntheCloudisaquarterlypublicationproducedbytheWilliamBlairtechnologyteamthatdelvesintotrendsimpactingdevelopertechnologiesacrossawidescopeoftopicsthatincludessoftware

development,DevOps,database,analytics,andobservability.Overthepastdecade,developershavebecome

increasinglyimportantinfluencersacrossallorganizations,assoftwareapplicationsanddigitaltransformation

havebecomecriticaltobusinessoperations,customerinteraction,andcompetitiveadvantage.Morerecently,thistrendhasbeenaccentuatedbyblackswaneventsliketheCOVID-19pandemicandaslewofsoftwaresupply

chainattacks.Developersrepresenttheearlyadopterswhowilldeterminethesuccessofaparticularsoftwareproductorproject.Asaresult,webelieveitisessentialtoexaminethekeytechnologicalandculturaldynamicsimpactingthisall-importantcohortofworkers.

InthisDevSecOpsRefresheditionofOntheGroundandIntheCloud,weprovideupdatedresultsfromourmostrecentproprietarysurveyofdevelopers/practitioners,examinetheoverallDevSecOpsmarketanditsmajor

playersandhowithaschangedoverthelastyear,anddiscussthelatesttrendsinthespace.WealsoprovideourthoughtsonwhatimpactAImighthaveonDevSecOps,andwehighlightrelevantprivatecompanies.

WilliamBlair

JonathanHo+131236482763

ExecutiveSummary

DevSecOpsisthepracticeofembeddingsecuritythroughoutthesoftwaredevelopmentlifecycle(SDLC)toensurethatsecuritytesting,policies,andcontrolsareintegrateddirectlyintodeveloperandDevOpsworkflows.Insteadoftreatingsecurityasa

separatephaseattheendofthedevelopmentprocess,DevSecOpsmakesitacontinuousandsharedresponsibilityacrossIToperations,development,andsecurityteams.Thisapproachalignswithagileandcloud-nativesoftwaredeliverymethods,

whichenablesfasterandsafersoftwarereleasesbycatchingissuesearlierintheprocessandfosteringgreatercollaborationbetweentraditionallysiloedteams.ApplicationsandAPIsalsorepresentamajorattackvector,with25%ofalldatabreachestargetingapplicationlayervulnerabilities,accordingtoVerizon’slatestDataBreachInvestigationsReport.Softwaresupplychainsecurityisalsogainingmoreattentionafterhigh-profilebreaches,liketheSolarWindsandEquifaxattacks,highlightedtheneedtosecureallelementsinvolvedincreatinganddeliveringsoftware,especiallyopen-sourcesoftwaregiventhatit

accountsforupto90%ofmodernapplications.Thesetypesofattacksareshowingnosignsofslowing,withCheckPoint

recentlydiscoveringathreatactorknownasStargazerGoblinthathadcreatedanetworkofover3,000GitHubaccountstodistributemalwareandmaliciouslinksaspartofadistribution-as-a-service(DaaS)operation.

PleaseseeourprimerpieceonDevSecOpshere:

OntheGroundandIntheCloud:DevSecOpsEdition.

WebelieveDevSecOpsisessentialbecausetraditionalsecuritypracticesaresiloedandtooslowandreactivefortoday’srapidsoftwaredeliverycycles.DevSecOpsplatformsolutionshelporganizationsdetectandremediatevulnerabilitiesearlyinthe

developmentprocessbyintegratingsecurityintotheentireSDLC.Thesesolutionsprovideorganizationswiththeabilitytoscalesecurityacrossmultipleteamsandpipelines;enhancevisibilityintoapplicationsecurityandcomplianceposture;

improvecollaborationbetweendevelopers,security,andIToperationsteams;supportsecurityformodernapplicationarchitectures;betterintegrateDevSecOpstooling;andembedsecuritythroughoutthesoftwaredevelopmentprocess.

DevSecOpssolutionsalsoreducethecostofremediatingvulnerabilitieswhileenhancingdeveloperproductivitytoultimatelyenableorganizationstoshipsecurecodefasterwithfewerdisruptionsandlowerlong-termsecurityandcompliancecosts.

Fromourconversationswithprivatecompanies,publiccompanies,andindustryexpertsinthespace,webelievethe

DevSecOpscompetitivelandscapehasfourmajortypesofplayers:1)legacyapplicationsecurityvendors(likeCisco,Broadcom,IBM,andMicroFocus/OpenText);2)modernapplicationsecurityvendors(likeSnykandContrastSecurity);3)developer

platformproviders(likeGitHubandGitLab);and4)cloud-nativeapplicationprotectionplatform(CNAPP)vendors(likeWiz,

Sysdig,PaloAltoNetworks,andCrowdStrike).Inourview,developerplatforms,modernapplicationsecurityvendors,and

CNAPPvendorshavetherighttowininthemarketoverthemediumterm.Developerplatformsbenefitfromunmatched

integrationintodeveloperworkflows,broaddeveloperadoption,andsignificantplatformeffects,makingthesesolutionseasychoicesfordevelopersalreadyusingtheplatformtoshipsoftware.However,securityisnottheseplatforms’corecompetency,sowebelieveCNAPPsandmodernapplicationsecurityvendorsalsohavetherighttowin.Modernapplicationsecurityand

DevSecOpsvendorsarefocusedondevelopersecuritywithdeepexpertiseinthisdomain,whileCNAPPsofferunifiedcloudandapplicationsecuritysolutionsthatsecuresoftwareallthewayfromcodetoruntime.Longerterm,webelievemodern

DevSecOpscapabilitiesarelikelytofacecompetitivepressurefrombroaderplatformsthatincreasinglyoffersimilar

functionalityandwillbeconsolidatedintodeveloperplatformsandCNAPPs.Inourview,developerplatformsandCNAPPs

havethevaluepropositionsofreducingtoolsprawl,unifyingsecurityanddevelopmentworkflows,andmakingsecurityamoreintrinsicpartofthesoftwaredevelopmentlifecyclewithimprovedcapabilitiesovertime.WealsobelievethathyperscalersarelikelytocompetemoreseriouslyintheDevSecOpsspace,astheyownthecloudinfrastructurewheremodernapplicationsarebeingbuiltandrunandcanintegratesecuritycapabilities,whichcouldaccelerategivenGoogle’srecentacquisitionofWiz.

KeytrendsshapingDevSecOpsincludetheriseofplatformengineering,AIandautomation,softwaresupplychainsecurity,

applicationsecurityposturemanagement(ASPM),applicationdetectionandresponse(ADR),growingbutchallenging

adoption,andthepreferenceforplatformsolutions.WebelieveartificialintelligenceisreshapingDevSecOpsbyautomating

vulnerabilitydetection,eventtriage,incidentreports,sessionsummaries,andremediationwhilealsointroducingnewrisks

andchallengeswithAI-generatedcode.WeviewAIasadouble-edgedsword,asitbringssignificantadvantagesintermsof

developerproductivityandcybersecurityefficacy,butalsonewchallengesandsecurityrisks.Forexample,Metaconducteda

studyonAIcodegenerationandfoundthatthebetteranLLMisatwritingcode,theworseitisatavoidingvulnerablecoding

practices.Weexpectthistoimproveovertime,butitillustratestheheightenedriskAIbringsinthenearterm.Longerterm,webelieveAIagentswillfurtherdrivetheneedforDevSecOpstoolsasthesoftwaredeveloperroleshiftstothedevelopmentofAIagentsthatwillneedtobesecurebydesign.Overall,webelievetheDevSecOpsmarketissettobenefitfromAIasaresultoftheadvantagesofAI-enhancedcybersecurity,developersusingittowritemorecode,DevSecOpstoolsbecomingmoreefficientanduser-friendly,andtheneedtosecureAIitself,allofwhichweexpecttocontributetohigherdemandandadoptionrates.

WilliamBlair

JonathanHo+131236482764

KeyTakeaways

1.ModernDevSecOpsvendorsaregainingmarketshareduetogreaterdeveloperadoption,

integrations,performance,newtechnologycoverage,andusability.Webelievelegacyapplication

securityvendorshavemajorlimitationswithintegratingintoCI/CDpipelines,poordeliveryperformance,

andlaggedcoverageforemergingthreatvectors.Traditionaltoolsalsotypicallyfunctionasstandalone

productsusedsolelybysecurityteams,leadingtoaninefficientback-and-forthworkflowwithdevelopers

thatslowssoftwaredevelopmentandleadstosecurityissuesbeingidentifiedlateintheprocess.Modern

vendors,ontheotherhand,solveforthesechallengesandhaveamajoradvantagewithgreaterdeveloper

adoptiongiventhattheyaredesignedtobeusedbydevelopers.Theshifttocloudhasalsobenefitedmodernvendors,aslegacytoolswereoriginallybuiltforon-premisesenvironmentsandhavebeenslowtosupportnewercloudtechnologies.

2.DevSecOpsmarketremainshighlyfragmentedandrelativelyimmature.IDCforecaststheoverall

DevSecOpssoftwaretoolsmarkettogrowto$15.6billionin2028,representingafive-yearCAGRof21.6%(from2023through2028),drivenbytheneedtoshipapplicationssecurelyandquickly.Thetopfivemarketshareleaders(Synopsys,Microsoft,Veracode,PaloAltoNetworks,andCheckmarx)representjust26.5%oftheoverallmarket,suggestingthatthemarketisstilldynamicandmaturing.

3.Intheintermediateterm,webelievedeveloperplatforms,CNAPPs,andmodernapplicationsecurityvendorshavetherighttowinintheDevSecOpsmarket.Developer-centricplatformsbenefitfrom

unparalleledintegrationintodeveloperworkflows,broadadoption,andsignificantplatformeffects.Security,however,isnotthesevendors’corecompetency,sowebelieveCNAPPvendorsandmodernapplication

securityvendorsalsohavearighttowin.CNAPPplayersenableunifiedcloudandapplicationsecuritywith

comprehensivesolutionsthathelpbridgesoftwaredevelopmentandruntimeenvironments.Webelieve

modernDevSecOpsvendors,likeSnyk,arewellpositionedoverthemediumtermduetotheirdeveloper-firstapproachandeaseofuse,allowingdeveloperstoproactivelyaddresssecurityissuesdirectlyincode.Modernvendorshavebeenexpandingtheircapabilities,thoughtheyfacecompetitivepressuresfrombroader

platformsthatincreasinglyoffersimilarfunctionality.Inourview,however,modernDevSecOpsvendors’specializationindevelopersecurityputsthemaheadofthecompetitionandprovidestheopportunitytopotentiallypartnerwithCNAPPvendorsorcontinueexpandingcapabilities.

4.Longerterm,DevSecOpscapabilitieswilllikelyconsolidateintobroaderplatformsofferedby

developerplatformprovidersandCNAPPvendors.Inourview,organizationshaveastrongdesirefor

simplicity,reducedtoolsprawl,andunifiedsecurityanddevelopmentworkflows,andassecuritybecomesamoreintrinsicpartofthesoftwaredevelopmentlifecycleovertime,platformsprovidingend-to-endsoftwaredevelopmentandcloudmanagementcapabilitieshaveverystrongvaluepropositions.Webelievedeveloperplatforms,likeGitHubandGitLab,andCNAPPvendors,likeWiz,PaloAltoNetworks,andCrowdStrike,will

ultimatelyconsolidateDevSecOpsfeaturesintoabroaderplatformsolution.Hyperscalers(Amazon,

Microsoft,andGoogle)alsohaveanopportunitytoconsolidateDevSecOpsfeatureslongerterm,astheyownthecloudinfrastructureandcanintegratesecuritycapabilities,whichcouldaccelerategivenGoogle’srecentacquisitionofWiz,inourview.

5.Lookingahead,webelievetheDevSecOpsmarketwillmovetowardmoreunification,intelligence,andalignmentwithbusinessneedsthroughaconsolidatedsetofplatformscoveringapplication

securityacrossthefullspectrumofcodetoruntime.WebelievetheseplatformswillleverageAIand

automationforspeedandaccuracy,emphasizesoftwaresupplychainintegrity,andbeembeddedinto

developerworkflowstominimizeasmuchfrictionaspossible.Weexpectmajorcompetitorsindifferent

areas(likethehyperscalers,developerplatforms,specializedDevSecOpsvendors,andCNAPPs)toplay

distinctrolesbasedofftheircorecompetencies,andthatcustomerswilllikelygrowtheirDevSecOps

programswithoneofthesetypesofvendorsdependingontheirtypeoforganizationanditsmaturitylevel.

JonathanHo+131236482765

6.PurchasesofDevSecOpstoolsarestillultimatelymadebysecurityteams,assecuritybudgetslargelywinoutoverdevelopers.Developersandsecurityteamsusedtohaverelativelycomparableinfluenceon

decisionmaking.However,asbreacheshavetakenplaceandsecurityhasbecomeahigherpriority,developerinfluenceappearstobewaningrelativetothebudgetandauthoritywieldedbysecurityteams.Basedonourdiscussions,itappearsthatCISOs,applicationsecurityteams,andDevSecOpsteamstypicallycontrolthe

budgetformakingpurchasingdecisionsforDevSecOpstools,whiledevelopersdonotcurrentlyhavemuchinfluencedespitethemalsousingtheseproducts.Thus,vendorsneedtoprovideatoolthatisdeveloper

friendlywhilecommunicatingitsvaluetoasecurityperson,whichwebelievehasbeenachallengeinthe

industryandaninhibitortoadoptionbecausedeveloperssimplywillnotusethetoolifitistoocumbersomefortheirworkflow.

7.DevSecOpstoolcapabilitiesareincreasinglyoverlappingwithbroaderplatformsasvendorscontinuetoexpandtheircapabilities.WebelieveenterprisesareseekingholisticsolutionsthatseamlesslyintegratewithCI/CDpipelinestohaveallnecessarysecurityfunctionsinoneplace,whichwilllikelycontributeto

furtherconsolidationgoingforward.WebelievethedistinctionbetweenDevSecOpsandcloudsecuritytoolswillcontinuetofadeovertimeastheybecomepartofonetoolchainthatdeliverscontinuoussecurityfrom

codetocloud.DevSecOpssubmarkets,softwaresupplychainsecurity,andAPIsecurityarealsoblending

togetherandfurtherblurringtheboundariesofDevSecOps.Inourview,thethreeareasexperiencing

consolidationinDevSecOpsareapplicationsecuritytestingvendors,developerplatformproviders,and

CNAPPvendors.Wealsoexpectvendorconsolidationthroughacquisitionstoaccelerate,as2024hadrecord-highM&Aactivityinthesoftwaredevelopmentanddeploymentspace.

8.Overall,theDevSecOpsmarketissettobenefitfromAI,butitalsorepresentsoneofthebiggest

securitychallengestoday.WeexpectAItodrivehigherdemandandadoptionratesinDevSecOpsasaresultoftheadvantagesofAI-enhancedcybersecuritycapabilities,AIcodingassistantsbeingleveragedtowrite

morecodethatneedstobesecured,DevSecOpstoolsbecomingmoreefficientanduser-friendly,andtheneedtosecureAIitself.Longerterm,webelieveAIagentswillfurtherdrivetheneedforDevSecOpsassoftware

developmentbeginstofocusondevelopingAIagentsthatwillneedtobesecurebydesignlikeanapplication.WeviewquestionsoverhowtosafelyuseAIassomeofthemostimportantcybersecurityquestionsthatwillneedtobeansweredbeforeenterpriseadoptionaccelerates.

9.AutomationanddeveloperexperiencearecriticalcomponentsofDevSecOpstools.Webelieve

DevSecOpsrevolvesaroundautomation,asithelpsremovethefrictionbetweenDevOpsandsecurityteamsandenablesfasterandsaferdevelopmentcycles.Wealsobelieveautomationwillbeatthecenterofnext-

generationtools,especiallyasAIadoptionaccelerates,forbettersecuritytesting,fastervulnerability

detection,andautomaticremediationofcodeissues.Automationisalsoimportantforimprovingthe

developerexperienceastonotimpedeandslowdowntheirworkflows.Mostdeveloperswanttofocusonwritingcode,andautomationreducesthecognitiveloadfordevelopers,withautomatedsecuritymeasuresintegrateddirectlyintotheirworkflows,makingiteasierfordeveloperstoresolveissuesastheyariseandhelpingwithDevSecOpsadoption.

10.DevSecOpsadoptionismixedamongorganizationsandmaturitylevelsvarygreatly,evenwithin

organizations.Webelievethereisfurtherroomforadoptionaslessthanhalf(47%)oforganizations

regularlyemployDevSecOpspractices,accordingtoasurveybyTechstrongResearch.Manyorganizations

havebeenslowtoadoptDevSecOpspracticesandtechnologiesbecauseapplicationsecurityisdifficultand

constantlyevolvingwithnewtechnologies(likeAI)andsoftwaresupplychainconcerns,DevSecOpsrequiresalotoftoolsandresourcesthatmaybenewattackvectors,collaborationbetweendifferentteamscanbe

complex,anddeveloperexperienceremainsachallenge.WebelieveeveryDevOpsprogramtodayshouldbeaDevSecOpsprogramgiventhefastpaceofmodernsoftwaredevelopment,thefactthatcybersecurityrisknowrepresentsoverallbusinessrisk,andthatattacksonapplicationsandAPIscontinuetoincrease.

JonathanHo+131236482766

11.Despitechallenges,DevSecOpsadoptioncontinuestogrowasorganizationsrecognizetheimportanceofdeliveringsecuresoftwareandthelong-termbenefitsofreducedvulnerabilities,fasterincident

responsetimes,andimprovedcompliance.WebelieveorganizationswillcontinuetoadoptandmatureDevSecOpspracticesasplatformengineeringbecomesmorepopular,softwaresupplychainsneedgreatersecurity,AIdrivesmorecodeandvulnerabilities,developersbecomemorefamiliarwithsecuritytoolsandawareofsecurecodingpractices,andorganizationsrecognizetheneedfortheirsoftwaretobesecurebydesign.

12.DevSecOpsisbecomingsynonymouswithsoftwaresupplychainsecurity.DevSecOpstoolsare

increasinglyfocusingonsecuringthesoftwaresupplychain,withagreateremphasisonmanagingopen-

sourcecomponents,applicationbuildintegrity,andSBOMgenerationassoftwaresupplychainexploits

remainontherise.Webelieveopen-sourcesoftwareriskistopofmindfororganizationsasupto90%ofamodernapplicationiscomposedofopen-sourcecomponents.Effectivesoftwaresupplychainsecurity

involvesmanagingtheseopen-sourceandthird-partyelements,securecodingpractices,andCI/CDsecurity,allofwhichoverlapwithDevSecOpspractices.

13.DevSecOpsplatformsembedsecurityintosoftwaredevelopmentworkflowstodeliversecure

softwarewithoutsacrificingtherapidpaceofmoderndevelopmentpractices.DevSecOpsplatform

solutionshelporganizationsdetectandremediatevulnerabilitiesearlyinthedevelopmentprocessby

integratingsecurityintotheentiresoftwaredevelopmentlifecycle.Thesesolutionsprovideorganizations

withtheabilitytoscalesecurityacrossmultipleteamsandpipelines;enhancevisibilityintoapplication

securityandcomplianceposture;improvecollaborationbetweendevelopers,security,andIToperations

teams;supportsecurityformodernapplicationarchitectures;betterintegrateDevSecOpstooling;andembedsecuritythroughoutthesoftwaredevelopmentprocess.

JonathanHo+131236482767

ExaminingtheDevSecOpsMarketLandscape

InIDC’sWorldwideDevSecOpsSoftwareToolsMarketSharessnapshotfor2023,itestimatedthemarketsizeto

be$5.9billionwithgrowthof23.3%fromtheprioryear.ThetopfiveleadingvendorsinthemarketareSynopsys,witha6.6%marketshare;Microsoft,witha5.6%share;Veracode,witha5.4%share;PaloAltoNetworks,witha5.3%share;andCheckmarx,witha3.5%share.Together,thesefivevendorsrepresentjust26.5%oftheoverall

market,whichwebelieveindicatesthatthemarketisstillevolvingandrelativelyimmature.AccordingtoIDC,inmanymaturesoftwaremarkets,thetopfivevendorsrepresentmorethantwo-thirdsofthetotalrevenue.

Exhibit1

OntheGroundandIntheCloud;ADeveloperTechnologyQuarterly

DevSecOpsMarketShares,2023($inMillions)

2021

2022

2023

2023Share

(%)

2022-2023Growth

(%)

Synopsys

$314

$344

$388

6.6%

12.9%

Microsoft

$181

$257

$332

5.6%

28.9%

Veracode

$225

$272

$318

5.4%

16.8%

PaloAltoNetworks

$146

$222

$312

5.3%

40.9%

Checkmarx

$151

$172

$209

3.5%

21.9%

Snyk

$62

$143

$208

3.5%

45.0%

OpenText

$192

$192

$193

3.3%

0.2%

IBM

$150

$158

$166

2.8%

4.8%

Akamai

$121

$138

$157

2.7%

14.2%

GitLab

$49

$96

$156

2.7%

62.3%

TrendMicro

$110

$128

$142

2.4%

11.4%

Google

$67

$101

$122

2.1%

20.5%

AmazonWebServices

$74

$94

$107

1.8%

13.7%

Lacework

$58

$81

$100

1.7%

23.1%

F5

$59

$70

$87

1.5%

24.3%

Cisco

$70

$73

$76

1.3%

4.7%

Perforce

$56

$63

$73

1.2%

15.6%

Mend

$41

$55

$64

1.1%

15.7%

SaltSecurity

$19

$34

$62

1.1%

83.1%

CyberArk

$41

$48

$62

1.0%

27.7%

ContrastSecurity

$42

$52

$60

1.0%

16.0%

AquaSecurity

$26

$35

$56

1.0%

62.3%

Other

$1,614

$1,949

$2,441

41.4%

25.3%

Total

$3,867

$4,775

$5,889

100.0%

23.3%

Source:WilliamBlairEquityResearchbasedonIDCestimates;IDCDevSecOpsSoftwareToolsMarketShares,August2024

JonathanHo+131236482768

Exhibit2

OntheGroundandIntheCloud;ADeveloperTechnologyQuarterly

DevSecOpsMarketSharesbyFunctionality,2023

InformationandDataSecurity3.9%

NetworkSecurity

19.7%

SecurityAnalytics

55.3%

$5.9BMarket

23.3%GrowthYoY

CNAPP

21.1%

Source:WilliamBlairEquityResearchbasedonIDCestimates;IDCDevSecOpsSoftwareToolsMarketShares,August2024

WebelievetherearefourmaingroupsofcompetitorsintheDevSecOpsmarket:1)legacyapplicationsecurity

vendors,2)modernapplicationsecurityvendors,3)CNAPPplayers,and4)developerplatformproviders.Over

thelongterm,webelievedeveloperplatforms(GitHubandGitLab)andCNAPPvendors(Wiz,PaloAltoNetworks,andCrowdStrike)havethestrongestrighttowinmarketshare.Developerplatformsbenefitfromunmatched

workflowintegration,developerfamiliarity,andplatformeffectsofdevelopersnaturallyadoptingbuilt-in

securitycapabilitiesastheystreamlineandconsolidatetools.CNAPPvendorsofferunifiedcloudandapplicationsecuritywithbroadcapabilities(securityfromcodetoruntime)anddeepcloud-nativesecurityexpertise.Inthemediumterm,webelievemodernapplicationsecurityvendors(suchasSnykandContrastSecurity)haveaplaceinthemarket,astheyarehighlyinnovativeanddeveloper-centricbutfacepressurefromplatformsthatare

increasinglyembeddingsecurityfunctionality.Inourview,thesevendorswillhaveaplaceinthemarketaslongasthedeveloperplatformsandCNAPPvendorslagintheirdevelopersecuritycapabilities.Theycouldalso

partnerwithCNAPPvendors,thoughlongerterm,weseepotentialforthesebroadervendorstomoreeffectivelycompeteorpossiblyacquiresomepureapplicationsecurityvendorstoensuretheyhaveastrongsetof

capabilities.Webelievelegacyvendorsarecurrentlylosingmarketshareandarecontinuallyhavingtoadapttomodernworkflows.Overall,webelievethevaluepropositionsofdeveloperplatformsandCNAPPvendorsare

verystrongandthattheyholdastrategicadvantageintheDevSecOpslandscapebasedonintegratedworkflows,platformconsolidation,enterpriseadoption,andtheacceleratedshifttowardcloud-nativearchitectures.

LegacyApplicationSecurityVendors

LegacyvendorsintheDevSecOpsspacearethosethattypicallyoriginatedfromearlyapplicationsecuritytoolsbeforethecloud-nativeera.ThesevendorsincludecompanieslikeCisco,IBM,Broadcom,andMicroFocus

(OpenText)thatgenerallybuilttheirreputationsontraditionalstaticapplicationsecuritytesting(SAST)anddynamicapplicationsecuritytesting(DAST)toolsthatwereusuallydeliveredason-premisesenterprise

solutions.WebelievetheselegacytoolsarenotbuiltforthespeedthatDevSecOpsrequiresandareless

integratedintodeveloper